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Introduction 





> Near Field Communication (NFC) protocol over short-distance RFID 
© 13.56MHz 


> Enables contactless data exchanges between passive tags (PICC) and 
active hosts (PCD) 

> DESFire type cards provide modern cryptographic algorithms and 
more sophisticated feature set 

> Chameleon Mini (RevG) devices used for pentesting and security 
applications as tag emulators and data loggers 
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l_High-level Overview 





1. NFC used for wireless communication within a proximity of 
approximately 10 centimeters 

2. Common in applications like physical authentication with door 
readers, university ID cards, to exchange credentials renting bikes or 
motorized scooters, and to charge limited credit transactions to 
vending machines and other virtual payment kiosks 

3. Often encountered tag types include: MIFARE Classic, MIFARE 
Ultralight, NTAG and others over standardized ISO protocols and 
wrapped instruction sets 

4. DESFire tags: DES/3DES/AES crypto + integrity checking, larger 
memory storage sizes (typically upto 8Kb), more complex filesystem 
organization and file types support, including secret key storage and 
variable access permissions 

5. Chameleon Mini: A pentesting / development / security type device 
developed over the past six+ years or so that is designed to emulate 
common contactless tags, facilitate on-the-fly bytewise data exchanges, 
and log otherwise transparent low-level data exchanges over NFC 


Introduction 


High-level overview (cont'd) 





> DESFire emulation support for the Chameleon Mini has been a 
frequently requested, however complicated to deliver, feature for years 


> How the first testing releases came together in the Fall of 2020 
> https://github.com/emsec/ChameleonMini/pull/287 
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1. The Chameleon RevG generation of devices includes hardware 
support on the integrated ATMega chip for AES and DES 
cryptographic primitives. 

2. Even still only partial support for DESFire tags was added as a fork of 
the main Chameleon firmware by @devzzo in 2017 

3. I decided to take on the task publicly ironically drinking beer after 
reading another issue requesting this support on the main firmware 
sources page on GitHub in the Spring of 2020 

4. lam proud to have been able to do what I characterize as having 
“hacked for freedom with free and open source software” to bring 
awareness to certain societal issues and systematic injustice during the 
first wave of the COVID-19 pandemic in 2020. In fact, the first public 
testing release of the DESFire enabled firmware binaries was made 
after the low-level source code came together with me staying up the 
entire weekend with vim on my Mac terminal after late US Supreme 
Court Justice, RBG, sadly passed from pancreatic cancer on Rosh 
Hashanah last year. The release notes included an iconic image of her 
reading “I dissent’. 


Introduction 





> Significance: First of its kind functional embedded proof-of-concept 
DESFire stack that is freely available as OSS to researchers, security 
experts and end users alike 


> Limitations: Small R&D budget for testing and lack of standardized 
default data transfer modes to ensure interoperability amongst door 
readers in applications 





Maxie Dion Schmidt (GA Tech) FTC 2021 — Embedded DESFire October 2021 4/31 


2021-08-27 


FTC 2021 — Embedded DESFire 
Introduction 


l_High-level overview (cont'd) 


1. No notes for this page 





Introduction 


O]ThalTer-meya ke) ote 








Maxie Dion Schmidt (GA Tech) FTC 2021 — Embedded DESFire 


2021-08-27 


FTC 2021 — Embedded DESFire 
Introduction 


1. No notes: Title slide only 





Introduction 





> The Chameleon Mini device hardware profile and embedded software 
features 


> Overview of key features of the proprietary DESFire command set 


> Key features and challenges in writing the embedded DESFire 
implmentation (with examples) 
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Chameleon Mini Hardware 


Chameleon Mini Hardware 
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1. Moved to GA Tech in 2017 as a Ph.D. student in the School of Math 

2. Shortly after arriving on campus I was issued a student ID with an 
integrated DESFire EV1 tag 

3. This was also around the time I had purchased my first developer 
grade Android phone 

4. I decided that I wanted the physical authentication to doors on 
campus to work not only with the standard issue university ID but 
also with my phone 

5. Exploration with Android OS application development and limitations 
of low-level NFC data exchange transparency on the stock MotoDroid 
led me to seek external hardware to help reverse engineer the bytes I 
would need to exchange from phone to door reader, and vice versa 


hameleon Mini Hardware 


Origins of the project II 
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1. Enter the KAOS Chameleon Mini RevG devices from the EU 

2. One of the key new features of the RevG generation of Chameleon 
devices is a LIVE logging feature by which the device can sniff 
bidirectional NFC data packets and print them in realtime over the 
integrated serial USB interface 

3. The RHS image shows an early prototype of my CMLD application for 
Android designed to display this LIVE logging data in human 
readable format portably and on-the-fly 


Chameleon Mini Hardware Motivation 





> On-board integration of a modern AVR chip (ATxmegal 28A4U) 


> Memory: 128Kb of FLASH, 8Kb of SRAM, and 2Kb of EEPROM 
spaces and support for faster FRAM-based memory access 


> Accelerated hardware support for AES and DES cryptographic engines 


> Embedded firmware and flashable bootloader support to memory map 
the integrated RF hardware on the PCB 


> Serial data transfer over wired micro-USB 
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1odern AVR chip (ATxmegal28A4U) 


of EEPROM 


Chameleon Mini Hardware Motivation 





> Embedded OSS firmware and bootloader sources in C and ASM 
compiled with avr-gcc that are flashed to the device over USB 


> Convenient serial terminal that has a human-readable command set 
for easy on-the-fly configuration of emulated tags 

> Ability to act as a PICC, PCD or bidirectional NFC packet sniffer 
depending on the active configuration set in one of the eight 8Kb 
sized partitions of the onboard memory 

> Logging of time-stamped communication details and status events to 
internal FRAM memory or LIVE mode printed to the serial USB 
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DESFire tags 
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DESFire NFC Tags 





> Multiple nested and semi-interoperable generations of DESFire tags: 
Legacy Mifare DESFire, EV1, EV2, EV3 and Light variants 


> Larger scale integrated memory storage sizes than most contactless 
NFC tags (usually 2Kb, 4Kb or 8Kb) 

> Standard use of modern cryptographic algorithms for secure data 
exchange (legacy DES/3DES/AES-128/AES-256) 

> Data messages optionally padded with crytographically hashed bytes 
to ensure data integrity over the physical interface using 2-byte CRC 
checksums or 4-byte MAC trailers 

> Implementations are complicated by proprietary handling of most 
DESFire tag specs by the manufacturers 
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DESFire NFC Tags 





> Files grouped by allocations of the physical IC memory into top-level 
subdirectories called applications indexed by unique application 
identifier (AID) 

> Native file types: Standard data files (type 0), backup data files (type 
1), value files (type 2), linear record files (type 3), and cyclic record 
files (type 4) 

> Each file has 2-bytes of associated access rights to indicate one of 
read /write/read and write/change. 

> Access permissions on the files provide more secure protections for 
storage of secret binary key data 
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types 





. There is a default master (PICC) application with associated master 
keys for authentication that is the default selected AID upon initial 
handshaking from PICC to PCD and vice versa 

. The actively selected AID can be changed via another subsequent 
structured command call initiated from PICC to PCD 

. Within each application space, the file entries are partitioned into data 
files or records that can store variable length hexadecimal-formatted 
binary data or signed integer values that can be debited and credited 
by invoking native instructions 

. Access to sensitive files secured by the cryptographic mechanisms 
supported by these tags requires both a base round of initial 
handshaking (PICC-to-PCD) that generates a session key, which is then 
followed by a crytographic checksum verified exchange of the 
authentication process using a secret DES/3DES/AES key 


DESFire NFC Tags 





> Formats to communicate instructions is performed by sending 
unpadded native commands or by communicating ISO standardized 
wrapped APDU messages 


PICC-to-PCD wrapped APDU data exchange format: 





CLA INS Py Po L. Data Bytes Le 
@x90 | command code | 0x@Q | 0x00 | variable length of data | command data | 0x00 
































PCD-to-PICC format: 


Data Bytes SW1 | SW2 (Status) 
DESFire command response data | 0x91 @xYY 
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|_Commands and native instruction support 


























. Wrapped APDU format for native DESFire commands in the 
PICC-to-PCD direction (ISO-7816-5 message structure). 

Format of the response message for native DESFire commands in the 
PCD-to-PICC direction. The SW2 status code byte returned by the 
PCD (denoted by @xYY above) is set to either 0x00 to indicate no error 
in processing the command or is encoded as a reserved byte code to 
provide an explanation of an error that occurred on the PCD side. The 
returned error codes are used to indicate problems ranging from 
hardware errors, to authentication and access permissions errors, to 
AID and file not found warnings, or to communicate that invalid 
parameters were passed in the issuing command call. 


DESFire NFC Tags 























Command Long Name INS | Description 

AUTHENTICATE @x@A | Legacy mode authentication 

AUTHENTICATE-ISO @x1A | ISO authentication with 3DES 

AUTHENTICATE_AES @xAA | Standard AES authentication 

AUTHENTICATE_EV2_FIRST x71 | More recent EV2 authentication mode 

AUTHENTICATE_EV2_NONFIRST | x77 | More recent EV2 authentication mode 

CHANGE_KEY_SETTINGS @x54 | Modify PICC master key properties 

SET_CONFIGURATION @x5C | Used to configure DESFire card or application specific 
attributes 

CHANGE_KEY @xC4 | Changes the key data stored on the PICC 

GET_KEY_VERSION @x64 | Returns the active key version stored on the PICC 

CREATE_APPLICATION @xCA | Creates new applications by unique AID 

DELETE_APPLICATION @xDA | Non-restorable deletion operation 

GET_APPLICATION_IDS @x6A | Returns a list of all AID codes stored on the PICC 

FREE_MEMORY @x6E | Returns the total free memory on the tag in bytes 

GET_DF_NAMES ®@x6D | Obtain the 1S07816-4 DF names associated with the 
tag 

GET_KEY_SETTINGS @x45 | Get permissions data and format for PICC and applica- 
tion master keys 

SELECT_APPLICATION @x5A | Select a specific application by AID for further access 
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|_Supported command codes 

















1. Commands to authenticate with a few cryptographic protocols (e.g., 
legacy mode, 3DES, AES), modify and create keys, and create 
container applications (much like directories) 


DESFire NFC Tags 














Command Long Name INS | Description 

FORMAT_PICC @xFC | Releases the previously stored user memory (not re- 
versible) 

GET_VERSION @x6@ | Returns manufacturing header data stored in the PICC 

GET_CARD_UID @x51 | Returns the 7-byte card UID assigned by the manufac- 
turer 

GET_FILE_IDS Qx6F | Get a list of the file identifiers (by index) within the 
selected AID 

GET_FILE_SETTINGS @xF5 | Obtain properties and permissions about a file 

CHANGE _FILE_SETTINGS @x5F | Modify access permissions of an existing file 

CREATE_STDDATA_FILE @xCD | Add new unformatted binary data storage file type 

CREATE_BACKUPDATA_F ILE ®@xCB | Create unformatted binary file with a shadow backup 
mechanism 

CREATE_VALUE_FILE @xCC | Create new 32-bit integer storage file 

CREATE-LINEAR_RECORD_FILE | @xC1 | Create new fixed size file for sequential storage of struc- 
turally similar record data structures 

CREATE_CYCLIC_RECORD_FILE | @xC@ | Similar to the linear record case except that there is a 








wrap-around storage functionality when the file size limit 
is exceeded 
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|_Supported command codes 

















1. Commands to reset the tag to a default blank contents mode, obtain 
the manufacturer bytes, and create files of various types 


DESFire NFC Tags 

















Command Long Name | INS | Description 

DELETE_FILE @xDF | Non-restorable deactivation of a file within the active 
AID 

GET_ISO_FILE_IDS x61 | Returns a list of the 2-byte file identifiers of all files 
within the active AID 

READ_DATA ®@xBD | Read byte-wise contents of standard or backup file types 

WRITE_DATA @x3D | Write data at an offset to stadard or backup file types 

GET_VALUE @x6C | Reads the last permanently stored integer from value 
records 

CREDIT @x@C | Increase the integer value type in the value type 

DEBIT @xDC | Decrease the integer value type in the value type 

LIMITED_CREDIT @x1C | Increase by a preset limited amount the integer in a value 
record (must commit the transaction changes at a later 
time) 

WRITE_RECORD @x3B | Write data to a linear or cyclic record file type 

READ_RECORDS ®@xBB | List the set of complete records in the associated file 
type 

CLEAR_RECORD_FILE ®@xEB | Reset a linear or cyclic record type to an empty state 

COMMIT_TRANSACTION @xC7 | Validates the previous write access permissions and 








credit permissions of all files within the selected AID 
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|_Supported command codes 

















1. Commands to delete files and read/write/modify their respective 
contents 


DESFire NFC Tags 














Command Long Name | INS | Description 
ABORT_TRANSACTION Q@xA7 | Invalidates the previous changes to the files within the 
selected AID 
SELECT QxA4 | 1SO7816-4 standard command support 
GET_CHALLENGE @x84 | 1SO7816-4 standard command support 
EXTERNAL_AUTHENTICATE | @x82 | I1SO7816-4 standard command support 
INTERNAL_AUTHENTICATE | 0x88 | ISO7816-4 standard command support 
READ_BINARY @xB@ | ISO7816-4 standard command support 
UPDATE_BINARY @xD6 | ISO7816-4 standard command support 
READ_RECORDS @xB2 | ISO7816-4 standard command support 
APPEND_RECORD @xE2 | ISO7816-4 standard command support 
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1. A subset of the IS07816-4 standard commands 


























DESFire NFC Tags 











>>> 


>>> 


>>> 


>>> 


>>> 


Select Application By AID: 


-> 90 5a 00 00 03 
<- 91 00 


QQ 00 20 


Start AES Authenticate: 


-> 90 aa 00 00 @1 
<- 54 b8 9e fe 19 
-> 90 af 00 20 10 
be 9c 3e c6 Je 
<- a9 e2 79 42 11 
Get AID List From 
-> 90 6a 00 20 00 
<- 77 88 99 01 00 
CreateApplication 
-> 9@ ca 00 20 05 
<- 91 de 
Get AID List From 
-> 92 6a 00 20 00 
<- 77 88 99 01 00 


00 20 

9b c6 a5 
df aQ 79 
00 

63 9c 14 
Device: 
00 

34 91 00 
command: 
77 88 99 


Device: 
00 
34 91 00 


00 


fd 8f 00 be cl 23 99 cQ | 91 af 
13 59 ac 4c 75 Sf 81 69 | 


Q@7 b3 02 2f 2e 4b 2e c5 | 91 00 


Of 03 00 
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l_Data exchanges with the Chameleon DESFire 
configuration 











1. More complete examples of data exchanges using these commands are 
found in the conference proceedings article and in the LibNFC testing 
code within the Chameleon mini main firmware repository on GitHub 


An Embedded Open Source DESFire 


Stack for the Chameleon Mini 
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OSS Embedded DESFire 





> New native AES support using hardware acceleration support 


> Extensions of prior work to add hardware based DES and 3DES 
support to the firmware 


> Changes to the codec layer of the firmware to support DESFire tags 


> Enhancements and bug fixes to the LIVE logging functionality of the 
Chameleon RevG devices 

> New default customized extension of the Chameleon terminal 
commands to enhance DESFire configuration support for users (see 
next slide) 


Maxie Dion Schmidt (GA Tech) FTC 2021 — Embedded DESFire October 2021 22/31 





> CONFIG=MF_DESFIRE 
> DF_SETHDR=ATS 0675F7B102 
> UID=2377000B99BF 98 


DF_SETHDR=ATS xxxXxXXXXXXX 
DF_SETHDR=HardwareVersion xxxx 
DF_SETHDR=SoftwareVersion xxxx 
DF_SETHDR=BatchNumber xxxxxxxxxx 
DF_SETHDR=ProductionDate xxxx 
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SFIRE TAG CONFIGURATION COMMANDS 





Be osevars fy SEVHWvER jig SET-swver 
[Ew SET-BATCHNO fy SET-PRODDATE 


PPRINT-FULL 


LOGMODE=ON. 


[ESePPRINT-PICCHDRIgS = FWINFO 


[EBS Locmoe-oFF jgsg) TESTMODE-ON Epa TESTMODE-OFF 
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—= 


1. Chameleon Mini terminal input for firmware compiled with DESFire 
emulation support to configure an IBM-JCOP branded NFC tag. 

2. The extended Chameleon terminal for DESFire emulation can be used 
to clone the header data on the tag that is assumed unique by the 
manufacturer. This includes ATS bytes, HW/SW versions, batch 
numbers, the production date, and of course the UID that can be reset 
by all Chameleon tag configurations 





OSS Embedded DESFire 





NFC reader: SCM Micro / SCL3711-NFC&RW opened 


Sent bits: 26 (7 bits) 

Received bits: @3 44 

Sent bits: 93 20 

Received bits: 88 23 77 @ dc 

Sent bits: 93 70 88 23 77 0@ dc 4b b3 
Received bits: 04 

Sent bits: 95 20 

Received bits: @b 99 bf 98 b5 

Sent bits: 95 70 @b 99 bf 98 b5 2f 24 
Received bits: 20 

Sent bits: eQ 5@ be a5 

Received bits: 75 77 81 02 8 

Sent bits: 5@ @@ 57 cd 


Found tag with 

UID: 2377000b99bf98 
ATQA: 4403 

SAK: 20 

ATS: 75 77 81 2 80 
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|_DESFire emulation support (anti-collision loop) 





1. Output of reading the resulting DESFire tag emulated by the 
Chameleon Mini device using an externally connected USB NFC 
reader with the LibNFC nfc-anticol utility 


OSS Embedded DESFire 





> Approximately six to eight months of active development were 
required to complete the project 


> Forced by local embedded system constraints to carefully optimize 
and organize our use of the embedded AVR memory to resolve 
insufficient memory type exceptions 

> The speedup in computations for AES and 3DES operations provides 
an order of magnitude improvement compared to existing OSS 
libraries for AVR chips 

> A complicated nested, quasi-linked pointer based structure was 
required to efficiently store the filesystem entries and tag accounting 
metadata 
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|_Challenges with the implementation during 
development 





1. Most notably, the structures and buffer space needed to store 
cryptographic structures for use with AES and 3DES were carefully 
leveraged on the stack to avoid unrecoverable overflow errors and race 
conditions 

2. Primarily used LibNFC on MacOS and Linux to test the implementation 
with an external USB NFC tag reader/writer 

3. The testing code in C was contributed to the firmware sources with the 
main PR to add the DESFire support 

4. Several sample dumps of the working implementation are also 
bundled with the firmware repo to verify compatibility and 
functionality whenever new PRs are incorporated to extend the current 
working implementation. Some experimental non-default features are 
tested by editing the Makefile 


Credits and Concluding Discussion 


Concluding Remarks 
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Credits and Concluding Discussion 





> Initial sources for the DESFire Chameleon firmware are due to Dmitry 
Janushkevich (@devzzo) (2017) 


> Professor Josephine Yu in the School of Math at GA Tech in the US 


> The original Kasper and Oswald (KAOS) developers of the 
Chameleon Mini hardware and software 


> David Oswald from the University of Birmingham in the UK 
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That brings me to the most important piece of advice that | can 
give to all of you: if you've got a good idea, and it’s a contribution, 
| want you to go ahead and DO IT. It is much easier to apologize 
than it is to get permission. — Grace Hopper 


| think a lot of the basis of the open source movement comes from 
procrastinating students. — Andrew Tridgell 


Life would be much easier if | had the source code. — Anonymous 





Thank you for attending! 
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